Add LibreOffice security advisories importer

Fetches CVE IDs from the LibreOffice advisory listing page and
retrieves structured data (CVSS, CWE, references, dates) from
the CVE 5.0 JSON API at cveawg.mitre.org.

Fixes: #1898

Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>

Author: NucleiAv

vulnerabilities/importers/__init__.py

@@ -59,6 +59,7 @@
 from vulnerabilities.pipelines.v2_importers import github_osv_importer as github_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
+from vulnerabilities.pipelines.v2_importers import libreoffice_importer as libreoffice_importer_v2
 from vulnerabilities.pipelines.v2_importers import mattermost_importer as mattermost_importer_v2
 from vulnerabilities.pipelines.v2_importers import mozilla_importer as mozilla_importer_v2
 from vulnerabilities.pipelines.v2_importers import nginx_importer as nginx_importer_v2
@@ -118,6 +119,7 @@
         retiredotnet_importer_v2.RetireDotnetImporterPipeline,
         ubuntu_osv_importer_v2.UbuntuOSVImporterPipeline,
         alpine_linux_importer_v2.AlpineLinuxImporterPipeline,
+        libreoffice_importer_v2.LibreOfficeImporterPipeline,
         nvd_importer.NVDImporterPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,

vulnerabilities/pipelines/v2_importers/libreoffice_importer.py

@@ -0,0 +1,154 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import json
+import logging
+import re
+from typing import Iterable
+
+import dateparser
+import requests
+
+from vulnerabilities.importer import AdvisoryDataV2
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.importer import VulnerabilitySeverity
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.severity_systems import SCORING_SYSTEMS
+from vulnerabilities.utils import get_cwe_id
+
+logger = logging.getLogger(__name__)
+
+ADVISORIES_URL = "https://www.libreoffice.org/about-us/security/advisories/"
+CVE_API_URL = "https://cveawg.mitre.org/api/cve/{cve_id}"
+
+CVSS_KEY_MAP = {
+    "cvssV4_0": SCORING_SYSTEMS["cvssv4"],
+    "cvssV3_1": SCORING_SYSTEMS["cvssv3.1"],
+    "cvssV3_0": SCORING_SYSTEMS["cvssv3"],
+    "cvssV2_0": SCORING_SYSTEMS["cvssv2"],
+}
+
+
+class LibreOfficeImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """Collect LibreOffice security advisories via the CVE API."""
+
+    pipeline_id = "libreoffice_importer"
+    spdx_license_expression = "LicenseRef-scancode-proprietary-license"
+    license_url = "https://www.libreoffice.org/about-us/security/"
+    precedence = 200
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.fetch,
+            cls.collect_and_store_advisories,
+        )
+
+    def fetch(self):
+        self.log(f"Fetch `{ADVISORIES_URL}`")
+        resp = requests.get(ADVISORIES_URL, timeout=30)
+        resp.raise_for_status()
+        self.cve_ids = parse_cve_ids(resp.text)
+
+    def advisories_count(self):
+        return len(self.cve_ids)
+
+    def collect_advisories(self) -> Iterable[AdvisoryDataV2]:
+        for cve_id in self.cve_ids:
+            url = CVE_API_URL.format(cve_id=cve_id)
+            try:
+                resp = requests.get(url, timeout=30)
+                resp.raise_for_status()
+            except Exception as e:
+                logger.error("Failed to fetch CVE API for %s: %s", cve_id, e)
+                continue
+            advisory = parse_cve_advisory(resp.json(), cve_id)
+            if advisory:
+                yield advisory
+
+
+def parse_cve_ids(html: str) -> list:
+    """Return deduplicated CVE IDs from the LibreOffice advisories listing page."""
+    return list(dict.fromkeys(re.findall(r"CVE-\d{4}-\d+", html)))
+
+
+def parse_cve_advisory(data: dict, cve_id: str):
+    """Parse a CVE 5.0 JSON record from cveawg.mitre.org; return None if CVE ID is absent."""
+    cve_metadata = data.get("cveMetadata") or {}
+    advisory_id = cve_metadata.get("cveId") or cve_id
+    if not advisory_id:
+        return None
+
+    date_published = None
+    raw_date = cve_metadata.get("datePublished") or ""
+    if raw_date:
+        date_published = dateparser.parse(
+            raw_date,
+            settings={"TIMEZONE": "UTC", "RETURN_AS_TIMEZONE_AWARE": True, "TO_TIMEZONE": "UTC"},
+        )
+        if date_published is None:
+            logger.warning("Could not parse date %r for %s", raw_date, advisory_id)
+
+    cna = (data.get("containers") or {}).get("cna") or {}
+
+    summary = ""
+    for desc in cna.get("descriptions") or []:
+        if desc.get("lang") in ("en", "en-US"):
+            summary = desc.get("value") or ""
+            break
+
+    severities = []
+    for metric in cna.get("metrics") or []:
+        for key, system in CVSS_KEY_MAP.items():
+            cvss = metric.get(key)
+            if not cvss:
+                continue
+            vector = cvss.get("vectorString") or ""
+            score = cvss.get("baseScore")
+            if vector and score is not None:
+                severities.append(
+                    VulnerabilitySeverity(
+                        system=system,
+                        value=str(score),
+                        scoring_elements=vector,
+                    )
+                )
+            break
+
+    weaknesses = []
+    for problem_type in cna.get("problemTypes") or []:
+        for desc in problem_type.get("descriptions") or []:
+            cwe_str = desc.get("cweId") or ""
+            if cwe_str.upper().startswith("CWE-"):
+                try:
+                    weaknesses.append(get_cwe_id(cwe_str))
+                except Exception:
+                    pass
+
+    advisory_url = (
+        f"https://www.libreoffice.org/about-us/security/advisories/{advisory_id.lower()}/"
+    )
+    references = []
+    for ref in cna.get("references") or []:
+        url = ref.get("url") or ""
+        if url:
+            references.append(ReferenceV2(url=url))
+
+    return AdvisoryDataV2(
+        advisory_id=advisory_id,
+        aliases=[],
+        summary=summary,
+        affected_packages=[],
+        references=references,
+        date_published=date_published,
+        weaknesses=weaknesses,
+        severities=severities,
+        url=advisory_url,
+        original_advisory_text=json.dumps(data, indent=2, ensure_ascii=False),
+    )

vulnerabilities/tests/pipelines/v2_importers/test_libreoffice_importer.py

@@ -0,0 +1,144 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import json
+import os
+from unittest import TestCase
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
+from vulnerabilities.pipelines.v2_importers.libreoffice_importer import LibreOfficeImporterPipeline
+from vulnerabilities.pipelines.v2_importers.libreoffice_importer import parse_cve_advisory
+from vulnerabilities.pipelines.v2_importers.libreoffice_importer import parse_cve_ids
+
+TEST_DATA = os.path.join(os.path.dirname(__file__), "..", "..", "test_data", "libreoffice")
+
+
+def load_json(filename):
+    with open(os.path.join(TEST_DATA, filename), encoding="utf-8") as f:
+        return json.load(f)
+
+
+def load_html(filename):
+    with open(os.path.join(TEST_DATA, filename), encoding="utf-8") as f:
+        return f.read()
+
+
+class TestParseCveIds(TestCase):
+    def test_extracts_cve_ids_from_html(self):
+        html = load_html("advisories.html")
+        cve_ids = parse_cve_ids(html)
+        self.assertIn("CVE-2025-1080", cve_ids)
+        self.assertIn("CVE-2023-2255", cve_ids)
+        self.assertIn("CVE-2023-4863", cve_ids)
+
+    def test_deduplicates_repeated_ids(self):
+        html = "<a>CVE-2025-1080</a> ... <a>CVE-2025-1080</a>"
+        self.assertEqual(parse_cve_ids(html), ["CVE-2025-1080"])
+
+    def test_empty_html_returns_empty_list(self):
+        self.assertEqual(parse_cve_ids("<html></html>"), [])
+
+
+class TestParseCveAdvisory(TestCase):
+    def test_cvss4_and_cwe(self):
+        data = load_json("cve_2025_1080.json")
+        advisory = parse_cve_advisory(data, "CVE-2025-1080")
+        self.assertIsNotNone(advisory)
+        self.assertEqual(advisory.advisory_id, "CVE-2025-1080")
+        self.assertEqual(advisory.aliases, [])
+        self.assertIn("macro", advisory.summary.lower())
+        self.assertEqual(len(advisory.severities), 1)
+        self.assertEqual(advisory.severities[0].value, "7.2")
+        self.assertIn("CVSS:4.0/", advisory.severities[0].scoring_elements)
+        self.assertEqual(advisory.weaknesses, [20])
+        self.assertIsNotNone(advisory.date_published)
+        self.assertIn("cve-2025-1080", advisory.url)
+
+    def test_no_cvss_has_empty_severities(self):
+        data = load_json("cve_2023_2255.json")
+        advisory = parse_cve_advisory(data, "CVE-2023-2255")
+        self.assertIsNotNone(advisory)
+        self.assertEqual(advisory.severities, [])
+
+    def test_cwe_264_extracted(self):
+        data = load_json("cve_2023_2255.json")
+        advisory = parse_cve_advisory(data, "CVE-2023-2255")
+        self.assertEqual(advisory.weaknesses, [264])
+
+    def test_references_from_cna(self):
+        data = load_json("cve_2023_2255.json")
+        advisory = parse_cve_advisory(data, "CVE-2023-2255")
+        urls = [r.url for r in advisory.references]
+        self.assertIn("https://www.debian.org/security/2023/dsa-5415", urls)
+        self.assertIn("https://security.gentoo.org/glsa/202311-15", urls)
+
+    def test_missing_cve_id_returns_none(self):
+        advisory = parse_cve_advisory({"cveMetadata": {"cveId": ""}, "containers": {}}, "")
+        self.assertIsNone(advisory)
+
+    def test_original_advisory_text_is_json(self):
+        data = load_json("cve_2025_1080.json")
+        advisory = parse_cve_advisory(data, "CVE-2025-1080")
+        parsed = json.loads(advisory.original_advisory_text)
+        self.assertEqual(parsed["cveMetadata"]["cveId"], "CVE-2025-1080")
+
+    def test_malformed_cwe_skipped(self):
+        data = load_json("cve_2025_1080.json")
+        data = json.loads(json.dumps(data))
+        data["containers"]["cna"]["problemTypes"] = [
+            {"descriptions": [{"cweId": "CWE-INVALID", "lang": "en", "type": "CWE"}]}
+        ]
+        advisory = parse_cve_advisory(data, "CVE-2025-1080")
+        self.assertEqual(advisory.weaknesses, [])
+
+
+class TestLibreOfficeImporterPipeline(TestCase):
+    def _make_resp(self, data, status=200):
+        resp = MagicMock()
+        resp.json.return_value = data
+        resp.text = json.dumps(data)
+        resp.raise_for_status.return_value = None
+        resp.status_code = status
+        return resp
+
+    @patch("vulnerabilities.pipelines.v2_importers.libreoffice_importer.requests.get")
+    def test_fetch_stores_cve_ids(self, mock_get):
+        html = load_html("advisories.html")
+        mock_get.return_value = MagicMock(text=html, raise_for_status=MagicMock())
+        pipeline = LibreOfficeImporterPipeline()
+        pipeline.fetch()
+        self.assertIn("CVE-2025-1080", pipeline.cve_ids)
+        self.assertIn("CVE-2023-2255", pipeline.cve_ids)
+
+    @patch("vulnerabilities.pipelines.v2_importers.libreoffice_importer.requests.get")
+    def test_collect_advisories_yields_advisory(self, mock_get):
+        cve_data = load_json("cve_2025_1080.json")
+        pipeline = LibreOfficeImporterPipeline()
+        pipeline.cve_ids = ["CVE-2025-1080"]
+        mock_get.return_value = self._make_resp(cve_data)
+        advisories = list(pipeline.collect_advisories())
+        self.assertEqual(len(advisories), 1)
+        self.assertEqual(advisories[0].advisory_id, "CVE-2025-1080")
+
+    @patch("vulnerabilities.pipelines.v2_importers.libreoffice_importer.requests.get")
+    def test_collect_advisories_skips_on_http_error(self, mock_get):
+        pipeline = LibreOfficeImporterPipeline()
+        pipeline.cve_ids = ["CVE-2025-1080"]
+        mock_get.side_effect = Exception("timeout")
+        logger_name = "vulnerabilities.pipelines.v2_importers.libreoffice_importer"
+        with self.assertLogs(logger_name, level="ERROR") as cm:
+            advisories = list(pipeline.collect_advisories())
+        self.assertEqual(advisories, [])
+        self.assertTrue(any("CVE-2025-1080" in msg for msg in cm.output))
+
+    def test_advisories_count(self):
+        pipeline = LibreOfficeImporterPipeline()
+        pipeline.cve_ids = ["CVE-2025-1080", "CVE-2023-2255"]
+        self.assertEqual(pipeline.advisories_count(), 2)

vulnerabilities/tests/test_data/libreoffice/advisories.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<h3>Addressed in LibreOffice 24.8.5 and 25.2.1</h3>
+<ul>
+<li><a href="/about-us/security/advisories/cve-2025-1080/">CVE-2025-1080</a> Macro URL arbitrary script execution</li>
+</ul>
+<h3>Addressed in LibreOffice 7.4.7 and 7.5.3</h3>
+<ul>
+<li><a href="/about-us/security/advisories/cve-2023-2255/">CVE-2023-2255</a> Remote documents loaded without prompt via IFrame</li>
+</ul>
+<h3>Third Party Advisories</h3>
+<ul>
+<li><a href="/about-us/security/advisories/cve-2023-4863/">CVE-2023-4863</a> libwebp heap buffer overflow</li>
+</ul>
+</body>
+</html>